Joan Calvet @joancalvet @pinkflawd Paul Rascagnèresarchive.hack.lu/2015/TotallySpies.pdf · No...

Joan Calvet@joancalvet

Marion Marschalek@pinkflawd

Paul Rascagnères@r00tsbsd

Once upona time…

TIME

2009 20142011

TFC

NBOT

NGBD

NBOT

Obviously DDoS

No packer or crypter

C&Cs sinkholed by Kaspersky

http://dopemichael.deviantart.com/art/Dead-Bunny-Wallpaper-119327469

Bunny

SCRIPTABLE BOT

Main Thread (net.cap0)

net.cap2

net.cap1

net.cap3 Hearer 3

Hearer 2

Hearer 1

Hearer 0

Command Parsing Script Execution

HTTP

Crontasks

DB file

Backfile Thread

Perflib_Perfdat_dmpbX.dat

Response to C&C and to

dumpfile

Performance Monitor

through lua script injection

BabarPET Persistent Elephant Threat

• Espionage par excellence• Keylogging, screenshots, audio

captures, clipboard data, what-not.

• Via local instance or through:• hooking APIs in remote processes

• after invading them via global Windows hooks

Regsvr32.exe

BabarDLL

Child instance

Main instance

Child instance

Process of

interest

Named Pipes

Global Windows hook

for WH_KEYBOARD /

WH_GETMESSAGE

API Hooking with

inline hooks

Data dump

module

Keylogger

Clipboard

snooping

Other stuffz

List of process

names from config

Modus Operandi Elephanti

Create section object with crucial information- Pipe name- number of existing instances- export name to be called

Copy function stub to target process memory

Create remote thread

- loads Babar DLL - calls indicated export- Hands over data from shared object

Happily run DLL

Regsvr32.exe

BabarDLL

Child instance

Main instance

Child instance

Invisible message-only window

Message dispatching Receive WM_INPUT register raw input device with RAWINPUTDEVICE struct as follows:

Set RIDEV_INPUTSINK flag – receive system wide input usUsagePage set to 1 – generic desktop controlsusUsage set to 6 – keyboard

On WM_INPUT call GetRawInputData

Map virtual key code to character & log to file

Main instance

Data dump

module

Keylogger

Hiding in plain sight Main instance Process of

interest

Named Pipes

Global Windows hook

for WH_KEYBOARD /

WH_GETMESSAGE

API Hooking with

trampoline

functions

Rooootkittykittykitty

Internet communication | File creation | Audio streams

Source Function

Target Function

Source Function

Target Function

Detour Function

Trampoline Function

htt

p:/

/res

earc

h.m

icro

soft

.co

m/e

n-u

s/p

roje

cts/

det

ou

rs/

“To people who ask me to compare the complexity of #Regin and

#Babar, keep in mind that a Peugeot is enough for the day-to-day life ;)” –

Paul Rascagnères

Casper is a reconnaissance tool developed in C++

Deployed in April 2014 on Syrian targets through aFlash 0day (CVE-2014-0515)

Exploit + Casper binaries + C&C server all hosted onwebsite of Syrian Justice Ministry

http://jpic.gov.sy/css/images/_cgi/index.php

Casper Playing Chess Against AVs

Payload Installation

Crash when Casper calls the (wrong) retrieved address!

Detailed report sent to C&C

C&C sends back XML file (embedded into a PNG) indicating payload to deploy

Espionage backdoor with numerous featuresFor example, complex file search requests:

“Give me all files with .doc extension, whose size is greaterthan X bytes and were modified in the last Y days”

Developed in C++ in a modular fashion

Popped up in Iran in 2013

Dino Module

NamePurpose

PSM Encrypted on disk copy of Dino modules

CORE Configuration storage

CRONTAB Tasks scheduler

ENVVAR Storage for environment variables

Dino Module

NamePurpose





recID: 11173-01-PRS WIDESTR

Version: 1.2 WIDESTR

BD_Keys: 4D414…[REDACTED]…B3506 BYTES

ComServer0: http://azhar.bf/[REDACTED].php STR

…

Dino Module

NamePurpose





Id Cron String Local Count Command Visibility

C1 44 15 07 04 2015 * -d -1 wakeup regular

“cronlist” output:

Dino Module

NamePurpose





Dino Talks

Too Much

“decyphering failed on bd”

“Can't change the past,sorry...”

“Date is invalid ! Date Format is ddmmyyyy”

“PB, hash or size couldn't be verified so file was deleted” “No available Com Server

yet ? Try again.”

“Invalid size parameter”

RamFS

Temporary “file-system” mounted in memory from anencrypted blob stored in Dino configuration

Once mounted, RamFS remains stored in encrypted chunks,decrypted on-demand

In Dino, RamFS initially contains one file (“a.ini”), which isexecuted to remove the malware from the system

INSTALL -A "wusvcd" -U

RamFS Commands

Command Purpose

INSTALL Triggers installation or uninstallation of the malware

EXTRACT Extracts a file stored in RamFS to the real file system

EXEC Executes a file stored in RamFS

INJECT Injects a file stored in RamFS in a designated process

KILL Terminates a running process

Is RamFS Custom?

File names and file content are in Unicode

Maximum file name length is 260 characters

Unencrypted chunks are 540 bytes length

No metadata on files (?)

The link©

?

API obfuscationAll Cartoons use the same approach:

1. Load the library in memory

2. Generate a hash for eachexported function name

3. Check if the generated hash isequal to the hash that themalware wants to execute

4. if yes, execute the function

We identified 2 hash algorithms

API obfuscation

Algorithm used by Bunny & Casper

#!/usr/bin/python

CRC = 0

function = “CreateProcessW”

for i in list(function)

key = rol32(CRC, 7)

CRC = ord(i)^key

print function+”: 0x%08x” % (CRC)

CreateProcessW: 0x46318ad1

AV identificationWMI query

Windows Security Center WMI providers: ROOT\SecurityCenter (for operating systems before Windows Vista)ROOT\SecurityCenter2 (Windows Vista and newer OS)

SELECT * FROM AntiVirusProduct

class AntiVirusProduct

{

string companyName; // Vendor name

string displayName; // Application name

string instanceGuid; // Unique identifier

boolean onAccessScanningEnabled; // Real-time protection

boolean productUptoDate; // Definition state

string versionNumber; // Application version

}

AV identificationab6ed3db3c243254294cfe431a8aeada28e5741dfa3b9c8aeb54291fddc4f8c3 (AhnLab)

b3fe0e3a3e3befa152c4237b0f3a96ffaa44a2d7e1aa6d379d3a1ab4659e1676 (AntiVir)

c0ffcaf63c2ca2974f44138b0956fed657073fde0adeb0b1c940b5c45e8a5cab (avast!)

249a90b07ed10bd0cd2bcc9819827267428261fb08e181f43e90807c63c65e80 (AVG)

4b650e5c4785025dee7bd65e3c5c527356717d7a1c0bfef5b4ada8ca1e9cbe17 (CA)

c8e8248940830e9f1dc600c189640e91c40f95caae4f3187fb04427980cdc479 (DoctorWeb)

97010f4c9ec0c01b8048dbad5f0c382a9269e22080ccd6f3f1d07e4909fac1a5 (F-PROT)

aa0ad154f949a518cc2be8a588d5e3523488c20c23b8eb8fafb7d8c34fa87145 (F-Secure)

333e0a1e27815d0ceee55c473fe3dc93d56c63e3bee2b3b4aee8eed6d70191a3 (G)

d4634c9d57c06983e1d2d6dc92e74e6103c132a97f8dc3e7158fa89420647ec3 (InternetSecurity)

977781971f7998ff4dbe47f3e1d679f1941b3237d0ba0fdca90178a15aec1f52 (Jiangmin)

f1761a5e3856dceb3e14d4555af92d3d1ac47604841f69fc72328b53ab45ca56 (Kaspersky)

a48be88bed64eff941be52590c07045b896bc3e87e7cf62985651bbc8484f945 (McAfee)

2bc42b202817bdab7d49506d291e3d9624ae0069087a8949c8fcb583c73772b1 (Norton)

0d21bd52022ca7f7e97109d28d327da1e68cc0bedd9713b2dc2b49d3aa104392 (Online)

f7d9ea7f3980635237d6ea58048057c33a218f2670e0ff45af5f4f670e9aa6f4 (Panda)

522e5549af01c747329d923110c058b7bb7e112816de64bd7919d7b9194fba5b (Rising)

4db3801a45802041baa44334303e0498c2640cd5dfd6892545487bf7c8c9219f (ThreatFire)

9e217716c4e03eee7a7e44590344d37252b0ae75966a7f8c34531cd7bed1aca7 (Trend)

e1625a7f2f6947ea8e9328e66562a8b255bc4d5721d427f943002bb2b9fc5645 (VirusBuster)

588730213eb6ace35caadcb651217bfbde3f615d94a9cca41a31ee9fa09b186c (ZoneAlarm)

b39be67ae54b99c5b05fa82a9313606c75bfc8b5c64f29c6037a32bf900926dd ()

a7f9b61169b52926bb364e557a52c07b34c9fbdcd692f249cd27de5f4169e700 ()

1ba035db418ad6acc8e0c173a49d124f3fcc89d0637496954a70e28ec6983ad7 ()

Emulator detection

Samples are looking for specific sandbox process names

Also Kaspersky:lstcvix.exetudib.exeizmdmv.exeubgncn.exejidgdsp.exeevabgzib.exeqzqjafyt.execnyporqb.exe...

Bitdefender

Kaspersky

Sample ID

All samples contain same looking ID:• CSEC Slide: 08184• Dino: 11173-01-PRS• Bunny: 11206-01• Babar: 11220-01 or 12075-01• Casper 13001

Sample ID

<speculation=on>• CSEC Slide: 08184• Dino: 11173-01-PRS• Bunny: 11206-01• Babar: 11220-01 or 12075-01• Casper: 13001</speculation>

Internal naming convention

Of course the internal naming convention is a link too

Really bad English usage

C&C sharing

Directory listing on horizons-tourisme.com:./_vti_bin

./_vti_bin/index.html

./_vti_bin/_vti_msc

./_vti_bin/_vti_msc/d13

./_vti_bin/_vti_msc/d13/index_refresh.htm

./_vti_bin/_vti_msc/d13/index.html

./_vti_bin/_vti_msc/bb28

./_vti_bin/_vti_msc/bb28/_index.php

./_vti_bin/_vti_msc/bb28/storage

./_vti_bin/_vti_msc/bb28/storage/index.html

./_vti_bin/_vti_msc/bb28/index.html

./_vti_bin/_vti_msc/bb28/bbc.php

./_vti_bin/_vti_msc/bb28/config.inc

./_vti_bin/_vti_msc/tfc422

./_vti_bin/_vti_msc/tfc422/index.html

./_vti_bin/_vti_msc/index.html

Give me a “D” for

Dino

Give me 2 “B” for BaBar

Give me a “TFC” for

TaFaCalou

Attribution?

Analysis based on C&C

Compromised website (gov/university/company/...) Often WordPress websitesFake websites

0

1

2

3

4

5

6

7

8

9

Syria Iran USA Burkina Faso Hong Kong Saoudia Arabia Egypt Turkey Niger Morocco Ukraine NA

Analysis based on C&C

A few French hints

AndFINALLY…

Bernard BarbierFormer Technical Director of French Secret Service

But attribution is hard.

Thank you!

Joan Calvet@joancalvet

Marion Marschalek@pinkflawd

Paul Rascagnères@r00tsbsd

Further Reading

• Babar Reversed http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/

• Bunny Reversed https://drive.google.com/file/d/0B9Mrr-en8FX4M2lXN1B4eElHcE0/view?usp=sharing

• Casper Reversed by Joan Calvet http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/

• Linking the Cartoon Malware to CSEC slides by Paul Rascagneres https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html

• Slides ‚TS/NOFORN‘ at Hack.lu2015 http://2014.hack.lu/archive/2014/TSNOFORN.pdf

• Slides on Snowglobe from CSEC http://www.spiegel.de/media/media-35683.pdf andhttp://www.spiegel.de/media/media-35688.pdf

• A cyberwarfare tale on nuclear matters by Matt Suiche http://www.msuiche.net/2015/03/09/did-alleged-dgse-used-stackoverflow-like-to-write-their-malwares/

• http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/

• Animal Farm https://securelist.com/blog/research/69114/animals-in-the-apt-farm/

• https://www.blackhat.com/docs/us-15/materials/us-15-Branco-Distributing-The-Reconstruction-Of-High-Level-Intermediate-Representation-For-Large-Scale-Malware-Analysis.pdf

Hashes

Bunny:

• 3bbb59afdf9bda4ffdc644d9d51c53e7

• b8ac16701c3c15b103e61b5a317692bc

• c40e3ee23cf95d992b7cd0b7c01b8599

• eb2f16a59b07d3a196654c6041d0066e

Babar:

• 4525141d9e6e7b5a7f4e8c3db3f0c24c

• 9fff114f15b86896d8d4978c0ad2813d

• 8b3961f7f743daacfd67380a9085da4f

• 4582D9D2120FB9C80EF01E2135FA3515

NBOT:

• 8132ee00f64856cf10930fd72505cebe

• 2a64d331964dbdec8141f16585f392ba

• e8a333a726481a72b267ec6109939b0d

• 51cd931e9352b3b8f293bf3b9a9449d2

Casper:

• 4d7ca8d467770f657305c16474b845fe

• cc87d090a1607b4dde18730b79b78632

Dino:

• 30bd27b122c117fabf5fbfb0a6cdd7ee

Other:

• bbf4b1961ff0ce19db748616754da76e

• 330dc1a7f3930a2234e505ba11da0eea

Joan Calvet @joancalvet @pinkflawd Paul Rascagnèresarchive.hack.lu/2015/TotallySpies.pdf · No...

Documents

Transcript of Joan Calvet @joancalvet @pinkflawd Paul Rascagnèresarchive.hack.lu/2015/TotallySpies.pdf · No...